Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: The scope of a firewall rule is set back to default after installing an update pack

Mon Jul 17, 2017 3:15 pm

Hi Zsolt,

Thank you for sending me the project. I tested it and, indeed, I reproduced the behavior.

However, I noticed that because of the "NOT UPGRADINGPRODUCTCODE" condition that is set for the "AI_FwUninstall" custom action in the "Table Editor" page, the firewall rules added by the first version are not removed during the upgrade to the second version. Furthermore, those rules are added again by the second version, so they gets duplicated. Hence, during the uninstall of the second version, only the rules this version added are removed.

In order to avoid this, you need to go to the "Windows Firewall" page and, as mentioned in the second post above, use the following condition for your rules: NOT OLDPRODUCTS

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: The scope of a firewall rule is set back to default after installing an update pack

Fri Jul 21, 2017 11:16 am

Hi Eusebiu,

Please let me gather all the info into one letter, this way I hope the solution will be quicker (this problem was reported by a customer who is still waiting for us).

Scenarios that should work:

Scenario 1:
1. Customer has an older version of our product installed on his PC. Old product does not contain the new Firewall related modifications - neither the new conditions under Windows Firewall tab nor the new condition of AI_FwUninstall in Table Editor. This means the old product will always remove all the Firewall rules on upgrade. We have to keep this in mind while trying to find a proper solution for our Firewall issues. The future version of our product must add the Firewall rules only if they are not there.
2. Customer has some custom IPs defined under the Properties->Scope tab of one of his firewall rules. Customer would like to keep the rules.
3. Customer installs a new version (which already contains the newest Firewall related changes) of our product.
Expected result: Since the old product has removed the fw rules and the new product had to add them, the custom IPs from Scope tab are missing. That's ok.

Scenario 2:
1. Customer has a newer version (which already contains the newest Firewall related changes) of our product installed on his PC.
2. Customer installs another new version (increased version number) as MAJOR update (Generate new).
Expected result. Since both version contain the Firewall related changes you proposed, FW rules are kept as well as IPs in Scope.

Scenario 3:
Same as Scenario 2 but a MINOR update (Keep existing) should be tested.
Expected result. Since both version contain the Firewall related changes you proposed, FW rules are kept as well as IPs in Scope.

Scenario 4:
The uninstall operation of our product should always remove the firewall rules too. This should be tested after Scenario 1-3.


Things we tried out:
1. Added your original snipplets: appended (NOT OLDPRODUCTS) to the condition field of all firewall rules under Windows Firewall tab + used the following condition for AI_FwUninstall: (VersionNT >= 501) AND (REMOVE="ALL") AND (NOT UPGRADINGPRODUCTCODE)
Issues: Issue 1: Scenario 2 was working but Scenario 3 was not.
Issue 2: Scenario 1 was not working: rules were removed by the old product and they were not added by the new. This issue is critical for our customers. We need a proper condition for each of our Firewall rules under Windows Firewall tab. Rules must be added if they were removed by the previous product. They should never be missing.

2. As I reported to you that Scenario 3 was not working, your colleague, Daniel, proposed me to use this modified condition under Windows Firewall tab
(NOT OLDPRODUCTS) AND (NOT AI_DETECTED_MINOR_UPGRADE)
Issues: Issue 1: Scenario 3 was still not working
Issue 2: Scenario 1 was still not working

3. We implemented a custom action to identify the FW rules while installing the product. You can find that custom rules in the latest .aip we sent you.
Issues: Scenario 1-3 were working fine, but under special circumstances some of our FW rules remained on the PC after uninstalling our product.

As you can see we invested a lot of time into this issue due to its severity. Could you please help us to figure out proper FW conditions which makes all scenarios working?

Thanks in advance,
Zsolt

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: The scope of a firewall rule is set back to default after installing an update pack

Mon Jul 24, 2017 3:48 pm

Hi Zsolt,

To resolve Scenario 1, you can create a "Product Version (identify by Upgrade Code)" search which will take the old version that is already installed on the machine. If the old version does not contain the new conditions for Windows Firewall, the new version will install the rules during the upgrade (because the old one had already removed them).

Can you please give me more details about the problems that are encountered in Scenario 3? Are the rules duplicated or they are all removed?

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: The scope of a firewall rule is set back to default after installing an update pack

Wed Aug 09, 2017 8:37 am

Dear Eusebiu,

Sorry for the delayed answer, I was off for several days. To be honest we don´t want to play around with various custom actions implemented by us. You known better than me more custom actions mean more potential problems. That´s why we´d like to get the problem solved in an "Advanced Installer way": purely playing with the Firewall conditions on your Firewall tab and in your table editor.

Can you please give me more details about the problems that are encountered in Scenario 3?
It´s just simply not doing what we want. Our goal is
1. Keeping the firewall rules on the PC (don´t replace them) in case a new version of our product is installed.
2. As you wrote in your previous mail, you found out that some of our rules are getting duplicated under special circumstances - obviously this is also something what should never happen.
3. If the user uninstalls our product, all of our firewall rules should be gone too.

These bulletpoints should work if we install a new version of our product, no matter if it´s a minor or major update pack. They should also work if we install a "modified" version of our product (including your changes) over an "older" version (without your changes).

Could you please as thoroughly test it as I did. From my previous mail you can see that I invested quite a lot of time in it, playing through all the possible scenarios. It´d be highly appreciated if you´d create several EXE files (minor and major too) on your side with different conditions under firewall tab/table editor and play through my Scenarios with those EXEs. You could see then if the firewall rules are missing or not, if the IPs under the Scope tab of a firewall rule are kept or not, if they are really uninstalled if the product is gone.

Thanks in advance!

Best regards,
Zsolt

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: The scope of a firewall rule is set back to default after installing an update pack

Wed Aug 09, 2017 2:50 pm

Hi Zsolt,

As mentioned in the previous posts, you can achieve your goals by implementing the steps below:
1. Keeping the firewall rules on the PC (don´t replace them) in case a new version of our product is installed.
Go in the "InstallExecuteSequence" table from the "Table Editor" page and add the following condition for the "AI_FwUninstall" row: AND (NOT UPGRADINGPRODUCTCODE)
2. As you wrote in your previous mail, you found out that some of our rules are getting duplicated under special circumstances - obviously this is also something what should never happen.
To avoid this you need to use the "NOT OLDPRODUCTS" condition for the firewall rules in the "Windows Firewall" page and also create a "Product Version (identify by Upgrade Code)" search to see if the rules were removed by the old version or not.
3. If the user uninstalls our product, all of our firewall rules should be gone too.
I'm afraid that a package only uninstalls the firewall rules that it added. But, if they were not removed by the related package (as described at point 1.), they will not be removed later by another version. In this case, you can only remove them through a custom action.

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: The scope of a firewall rule is set back to default after installing an update pack

Fri Aug 25, 2017 12:31 pm

Hi Eusebiu,

Regarding
I'm afraid that a package only uninstalls the firewall rules that it added. But, if they were not removed by the related package (as described at point 1.), they will not be removed later by another version. In this case, you can only remove them through a custom action.

As you proposed I create a new custom action which should remove our firewall rules from the PC. The custom action is an inline PowerShell script with the following settings:
Execution Time: Immediately
Execution Options: Wait for custom action to finish before proceeding

Execution Stage Condition:
Regular uninstall checkbox and Maintenance checkbox are selected, the condition is the following:
(( REMOVE = "ALL" OR AI_INSTALL_MODE = "Remove" ) AND NOT UPGRADINGPRODUCTCODE AND NOT AI_DETECTED_MINOR_UPGRADE)
We use this condition, because we would like to remove the the firewall rules only if our product is completely getting removed. In case a minor or major update pack removes the old product, the FW rules should be kept. Is this conditions good enough?

The custom action works fine and removes the FW rule if:
1. We go to Programs and Features -> right click on our product -> Uninstall
2. We doubleclick our installer EXE and we select Remove option from the Modify-Repair-Remove dialog.

The custom action DOES NOT work if we go to Programs and Features -> right click on our product -> Change menu -> select Remove from the Modify-Repair-Remove dialog.

Could you please tell us why the custom action runs in the first 2 scenarios but does not run in the last scenario?

Thanks in advance,
Zsolt

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: The scope of a firewall rule is set back to default after installing an update pack

Mon Aug 28, 2017 2:58 pm

Hi Zsolt,

There should not be any difference using the "Change" button when the package is double-clicked or when the product is right-clicked in the "Programs and Features" page. I tested this with the condition you mentioned and the custom action was executed on uninstall in both cases. Can you send me verbose logs for each of the two different product removals, so I can investigate them?

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: The scope of a firewall rule is set back to default after installing an update pack

Mon Sep 04, 2017 12:07 pm

Dear Eusebiu,

I had the same opinion as you, I thought the Change button shoud act in the same way, no matter if we trigger it via a double-click on the EXE or from Programs and Features. In practice there must be some difference, what you can see on the following 2 videos:
Video 1: DoubleClick->Remove: https://www.screencast.com/t/fNdwOw9mPsk2
Video 2: Programs and Features -> Change -> Remove: https://www.screencast.com/t/kDssj4tQZ

At the end of the first video I show you our RemoveFirewallRules custom action too.

Moreover I´m attaching 2 log files for each scenarios. From the logs I see that RemoveFirewallRules has been executed in both cases, that´s why I have no clue why our Firewall inboud rule remains in place in the 2nd scenario. Maybe its a permission issue or a Windows bug?

Best regards,
Zsolt
Attachments
MSI_log_ProgramsAndFeatures_Change_Remove.zip
(292.42KiB)Downloaded 229 times
MSI_log_DoubleClickOnExe_Remove.zip
(889.08KiB)Downloaded 240 times

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: The scope of a firewall rule is set back to default after installing an update pack

Tue Sep 05, 2017 1:57 pm

Hi Zsolt,

Indeed, the logs show that the "RemoveFirewallRules" custom action is executed in both cases, but I'm not sure why it does not remove the firewall rules when uninstalled from Control Panel.

The only difference that I noticed in the scenarios you presented is that when the product is uninstalled from Control Panel, the MSI package is launched without the EXE Bootstrapper. Can you go in the "Themes" page, "Settings" tab, check the "Always" option for the "Enhanced User Interface" feature and retest the uninstallation from Control Panel?

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: The scope of a firewall rule is set back to default after installing an update pack

Wed Sep 06, 2017 10:18 am

Dear Eusebiu,

Thanks for the tip, it worked. Clicking on our product in Programs and Features shows a slightly different context menu, removing our product in this way takes longer but at least it removed the FW rules too.

Best regards,
Zsolt

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: The scope of a firewall rule is set back to default after installing an update pack

Wed Sep 06, 2017 12:39 pm

You're welcome Zsolt. I'm glad this worked.

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: The scope of a firewall rule is set back to default after installing an update pack

Wed Oct 11, 2017 10:49 am

Dear Eusebiu,

Recently we found an interesting side-effect caused by the fact that we selected the "Always" option (proposed by you) for "Themes/Settings/Enhanced User Interface" radiobox: if we isntall 2 MINOR update packs (same product code and upgrade code) on the same PC, both of them are visible at Programs and Features.

This is something neither us nor our customers want to see. After some research I also found out that changing the value of "Enhanced User Interface" will enable 2 another checkboxes at Product Details tab:
"Override Windows installer programs list entry"
"Use a single Uninstall/Change button instead of separate buttons for each operation"
That´s why we see the MINOR updates next to each other.

Our goals are:
1. Fixing the FW removal issue that you could reproduce already in a way.
2. MINOR update packs should act in the same way like in the past: they should not appear next to each other. The 2 checkboxes at Product Details should be unselected like before.

Please advise us something! It seems we can´t use the "Always" option for "Enchanced User Interface".

Thanks in advance!

Best regards,
Zsolt

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: The scope of a firewall rule is set back to default after installing an update pack

Tue Oct 17, 2017 1:46 pm

Hi Zsolt,

Indeed, it is a known limitation that when the "Override Windows installer programs list entry" option is checked, the patches have separate entries in the Programs and Features list. This happens because the details about the product are stored in the registry under a key that contains the Product Version, so each version will have its separate key.

In order to avoid this, you can go in the "Table Editor" page, "Registry" table and remove the "[ProductVersion]" string from the rows displayed in the image below. However, please note that in this case you cannot use side by side installations anymore.

Best regards,
Eusebiu
Attachments
Override Windows Installer registry.png
Override Windows Installer registry.png (89.03KiB)Viewed 5574 times
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”